Talk:Patches

From PS3 Developer wiki
Jump to navigation Jump to search

Shop firmware on Retail console

<patote> i used the same shop.tcl : http://pastie.org/1979531 :

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#
    
# Priority: 2300
# Description: Patch firmware for installation shop/promo unit

# Option --patch-promo-flags: Patch promo_flags file
# Option --patch-update-flags: Patch update_flags file
# Option --patch-version: Append string to build version

# Type --patch-promo-flags: boolean
# Type --patch-update-flags: boolean
# Type --patch-version: string 
    
namespace eval ::patch_shop {

    array set ::patch_shop::options {
        --patch-promo-flags true
        --patch-update-flags true
        --patch-version "Promotional-to-Retail"
    }

    proc main {} {
        if {$::patch_shop::options(--patch-promo-flags)} {
          debug "Patching [file tail $::CUSTOM_PROMO_FLAGS_TXT]"

        }
        if {$::patch_shop::options(--patch-update-flags)} {
          debug "Patching [file tail $::CUSTOM_UPDATE_FLAGS_TXT]"
          set fd [open $::CUSTOM_UPDATE_FLAGS_TXT w]
          puts -nonewline $fd "0000"
          close $fd
        }
        if {$::patch_shop::options(--patch-version) != ""} {
          append ::options(--build-suffix) "($::patch_shop::options(--patch-version))"
        }
    }
}

patote succesfully installed the resulting 3.55 PUP on a Retail console. The console is in locked mode after installation of the firmware.

 patote	8294 does nothing
 patote	0168 does nothing
 patote	5138 does nothing
 patote	1739 worked fine
 patote	or not ; it didnt said wrong password ; but all is still locked
 patote	2297 nothing
 patote	the code is................. 0000
 patote	and now the install package files and app_home are back in game menu
 patote	ohhh ; and in system too ; all the way down
 patote	if you go to security settings and do l1+r1+select+square it goes back to demo without turn the unit off
 patote	thats system settings install packages option only does blind installations
 patote	you cant browse the thumbdrive ; it just starts installing all the pkgs in the drive
 patote	it works ; but fails in geohot signed ones ; the regular ones installs without problems
 patote	theres another extra option
 patote	automatic update
 patote	"sets wheter to update the system software automatically via internet when the ps3 system is turned on"




FSELF patch appldr

MFW does not seem to have (proper) support for fself's.

Mathieulh	why do all those emu devs actually use geohot's tool on their selfs, I wonder xD
Mathieulh	the proper format to use is fself
Mathieulh	there are existing patches for fself on 3.41
Mathieulh	but those guys who make those so called cfw didn't port many patches at all
Mathieulh	if not any
Mathieulh	and the memory patcher one for fself isn't there
eussNL	ehm, including MFW Mathieulh ?
Mathieulh	you should just patch appldr
Mathieulh	and make the function that detects the model return true for debug
Mathieulh	and you get native fself + edata
Mathieulh	it's an easy patch
Mathieulh	you can also patch the sign check along with it
Mathieulh	4 bytes to patch
eussNL	I dont see a mention of appldr patch in MFW or I am overlooking it
Mathieulh	yeah MFW doesn't do that
Mathieulh	but there is a lv2 patch for fself too
Mathieulh	(memory patcher)
Mathieulh	at least in 3.41 there is
Mathieulh	it's in psgroove
Mathieulh	but it doesn't work for compressed fself
Mathieulh	it's better to patch appldr
Mathieulh	besides I use compressed fself on all my shit now xD
Mathieulh	saves some room :P
Mathieulh	people should just use fself anyway
Mathieulh	that way you don't need to sign or encrypt
Mathieulh	and it's future proof
Mathieulh	the geohot signed shit doesn't work with 3.56+ cause of the whitelistù
Mathieulh	so you have to patch the whitelist check in the ldr to get them to run
eussNL	some people are having trouble with ps3load/ps3loadx with launching it fselfs on CFWs
eussNL	and with makeself for the same reason I suppose
irssi_	devs won't support it if the CFW doesn't run it
Mathieulh	if the cfw doesn't run fself, it's not complete
Mathieulh	at least not to me
Mathieulh	all my personal cfw all run fself natively
eussNL	hmmm, seems a thing to add to MFW then... appldr patch for fselfs - if it isnt working now


the 4 byte patch he speaks of is:
< 00001360 40 80 0e 0c 20 00 57 83 32 00 04 80 32 80 80 8e |@... .W.2...2...|
---
> 00001360 40 80 0e 0c 20 00 57 83 32 11 73 00 32 80 80 8e |@... .W.2.s.2...|


Experimental

Patch Appldr task

patch_appldr.tcl

#!/usr/bin/tclsh
#
# ps3mfw -- PS3 MFW creator
#
# Copyright (C) Anonymous Developers (Code Monkeys)
#
# This software is distributed under the terms of the GNU General Public
# License ("GPL") version 3, as published by the Free Software Foundation.
#

# Priority: 300
# Description: Patch Appldr

# Option --patch-appldr-fself: Patch Appldr to allow Fself (set debug true)

# Type --patch-appldr: boolean

namespace eval ::patch_appldr {

    array set ::patch_appldr::options {
        --patch-appldr-fself true
    }

    proc main { } {
        set self "appldr"

        ::modify_coreos_file $self ::patch_appldr::patch_self
    }

    proc patch_self {self} {
        if {!$::patch_appldr::options(--patch-appldr-fself)} {
            log "WARNING: Enabled task has no enabled option" 1
        } else {
            ::modify_self_file $self ::patch_appldr::patch_elf
        }
    }

    proc patch_elf {elf} {
        if {$::patch_appldr::options(--patch-appldr-fself)} {
            log "Patching Appldr to allow Fself"

            set search  "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x00\x04\x80\x32\x80\x80"
            set replace "\x40\x80\x0e\x0c\x20\x00\x57\x83\x32\x11\x73\x00\x32\x80\x80"

            catch_die {::patch_elf $elf $search 7 $replace} \
                "Unable to patch self [file tail $elf]"
        }
    }
}

Errorlog

Patching Appldr to allow Fself
Executing command ::patch_elf $elf $search 7 $replace
offset: 4967
Rebuilding self file appldr.self
Executing command makeself $in $out $original
Executing shell self_rebuilder {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.elf} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr.self} {Temp\PS3MFW\PS3MFW-MFW\update_files\CORE_OS_PACKAGE\appldr}
FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
See Temp/PS3MFW/ps3mfw.log for more info
Last lines of log : 
*****************
  auth id:        1ff000000c000001 
  vendor id:      00000000ff000000
  app version:    3.55.0
  version suffix: 355 
  SDK type:       Retail (Type 0)
  app type:       secure loader
  file suffix:    355 (rev 0x0a)
  key file:   ps3keys\/ldr-key-355 (ERROR)
key_get failed
FATAL ERROR: Could not rebuild file appldr.self : child process exited abnormally
Error running script: Could not rebuild file appldr.self : child process exited abnormally

available LDR @ ps3keys: ldr-pub-retail, ldr-priv-retail, ldr-key-retail, ldr-iv-retail, ldr-ctype-retail

Just add those keys to the ps3keys folder to make the task work : ps3keys in RAR sfx (107.37 KB)

Offsets

3.55 : offset: 4967
3.50 : offset: 3459
3.42 : offset: 3395
3.41 : offset: 3395
3.40 : offset: 3395
3.30 or lower: FATAL ERROR: Unable to patch self appldr.elf : Could not find pattern to patch
3.30 offset: 2299 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.21 offset: 3064 = "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.20 DEBUG offset: 3064 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.15 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )
3.10 offset: 3071 =  "\x40\x80\x0e\x0d\x20\x00\x69\x09\x32\x00\x04\x80\x32\x80\x80" )

Conclusion / Status

Although it is possible to add as a task, it is not recommended in general. There is brick risk.

  <mall0ry> eussNL, that appldr fself patch is risky because it is patching a branch target


JFW MA-1 3.56 "bad idea"

http://www.multiupload.com/WO4UYJIJ6T

  SHA1: 9FDC74F0BB4244EF37DEFD20E7CF9E5B08BD4DD3  MD5: EFE066E4836393C8BF60A5CC6804DDC3  CRC32: 735B21DC  CRC16: 4766  HMAC_SHA1: 1D4382A5EB811859192DF75BB3284E284EF70601

Patches (compared to OFW 3.56) : http://pastie.org/private/z0evad6frsdlbntk2suqa
shortlist changed files:

  • lv1ldr
  • lv1.self
  • lv2ldr
  • lv2_kernel.self
  • appldr
  • nas_plugin.sprx
  • vsh.self
  • explore_category_game.sprx
  • explore_plugin.sprx

Request for anyone that installed this FW : lv1 and lv2 dump (can be done e.g. with glevand' PKGs).

dump_lv1.pkg (69.61 KB) dump_lv2.pkg (70.11 KB)
or dumperpack wich includes those 2 and other dumpers as well: dumperpack.rar (1.9 MB) http://www.multiupload.com/R34YRGY6Z8